Security is paramount in any application. When exposing APIs automatically, you need a robust way to control who can access what. Nuxt Auto CRUD comes with a powerful Role-Based Access Control (RBAC) system built right in.

The RBAC Model

Our permission system is built on four core concepts:

1. Users: The people accessing your system.
2. Roles: Groups that users belong to (e.g., Admin, Manager, User).
3. Resources: The data entities you want to protect (e.g., Posts, Comments).
4. Permissions: The specific actions allowed (e.g., Create, Read, Update, Delete).

Setting Up Permissions

Permissions are managed in the database, allowing for dynamic updates without code changes.

1. Define Roles

Create roles in the roles table.

INSERT INTO roles (name) VALUES ('admin'), ('editor'), ('viewer');

2. Assign Permissions

Link roles to resources and actions in the role_resource_permissions table.

• Admin: Can do everything on all resources.
• Editor: Can create and update posts, but only read comments.
• Viewer: Can only read posts and comments.

Protecting Your APIs

Once configured, Nuxt Auto CRUD automatically checks permissions for every request.

• If a user tries to DELETE /api/posts/1 but only has read access, they get a 403 Forbidden response.
• If a user tries to access a resource that doesn't exist or they don't have access to, they get a 404 Not Found or 403 Forbidden.

Fine-Grained Control

You can also implement row-level security and custom policies by hooking into the module's lifecycle events, ensuring that users can only edit their own data.

Secure your app with confidence using Nuxt Auto CRUD.